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May  19,  2009 

The  President 
The  White  House 
Washington,  DC  20500 

Dear  Mr.  President: 

I am  pleased  to  submit  the  Information  Security  Oversight  Office’s  (ISOO)  Cost  Report  for  Fiscal 
Year  2008. 

This  report  provides  information  on  the  cost  estimates  of  the  security  classification  program  as 
required  by  Executive  Order  12958,  as  amended,  “Classified  National  Security  Information.”  It 
provides  statistics  and  analysis  concerning  key  components  of  the  system  from  41  Executive  branch 
agencies.  It  also  contains  cost  information  with  respect  to  industrial  security  in  the  private  sector  as 
required  by  Executive  Order  12829,  as  amended,  “National  Industrial  Security  Program.”  The  cost 
estimates  from  the  Central  Intelligence  Agency,  the  Defense  Intelligence  Agency,  the  Office  of  the 
Director  of  National  Intelligence,  the  National  Geospatial-Intelligence  Agency,  the  National 
Reconnaissance  Office,  and  the  National  Security  Agency,  are  compiled  in  a classified  addendum  to 
this  report  that  is  being  transmitted  separately. 

Our  interaction  with  Executive  branch  agencies  has  revealed  that  the  category,  “Professional 
Education,  Training  and  Awareness,”  requires  additional  investment,  and  the  categories  of  “Security 
Management  and  Planning”  and  “Declassification”  need  to  be  examined  by  agencies  to  support 
increased  capability  to  oversee  classification  activity  and  to  better  implement  declassification.  These 
three  categories  are  critically  important  to  a sound  classification  system,  particularly  at  this  time, 
given  the  national  security  challenges  we  face  and  the  limited  resources  available  to  classify, 
safeguard,  and  declassify  national  security  information. 

A responsible  and  efficient  security  classification  program  requires  commitment,  diligence,  and 
integrity.  It  is  of  particular  importance  that  the  classification  system  be  implemented  in  a manner 
that  makes  for  the  most  efficient  and  effective  use  of  the  finite  resources  available  to  departments  and 
agencies.  As  ISOO  oversees  the  trends  in  this  system,  we  will  continue  to  focus  on  enhancing  the 
policy  and  guidance  to  this  end. 

Respectfully, 


WILLIAM  J.  BOSANKO 
Director 

Enclosure 

cc:  General  James  L.  Jones,  USMC,  Ret. 

Assistant  to  the  President  for  National  Security  Affairs 


FISCAL  YEAR  2008  REPORT  ON  COST  ESTIMATES  FOR  SECURITY  CLASSIFICATION 
ACTIVITIES 


BACKGROUND  AND  METHODOLOGY 

As  part  of  its  responsibilities  to  oversee  agency  actions  to  ensure  compliance  with  Executive 
Order  (E.O.)  12958,  as  amended,  "Classified  National  Security  Information,"  and  E.O.  12829,  as 
amended,  "National  Industrial  Security  Program,"  the  Information  Security  Oversight  Office 
(ISOO)  annually  reports  to  the  President  on  the  estimated  costs  associated  with  the 
implementation  of  these  Executive  orders. 

ISOO  relies  on  the  agencies  to  estimate  the  costs  of  the  security  classification  system.  Requiring 
agencies  to  provide  exact  responses  to  the  cost  collection  efforts  would  be  cost  prohibitive.  The 
collection  methodology  used  in  this  report  has  consistently  provided  a good  indication  of  the 
trends  in  total  cost.  Nonetheless,  it  is  important  to  note  that  absent  any  security  classification 
activity,  many  of  the  expenditures  reported  herein  would  continue  to  be  made  in  order  to  address 
other,  overlapping  security  requirements. 

The  data  for  Government  presented  in  this  report  were  collected  by  categories  based  on  common 
definitions  developed  by  an  Executive  branch  working  group.  The  categories  are  defined  below. 

Personnel  Security  : A series  of  interlocking  and  mutually  supporting  program  elements  that 
initially  establish  a Government  or  contractor  employee's  eligibility  and  ensure  suitability  for  the 
continued  access  to  classified  information. 

Physical  Security:  That  portion  of  security  concerned  with  physical  measures  designed  to 
safeguard  and  protect  classified  facilities  and  information,  domestic,  or  foreign. 

Information  Security:  Includes  four  subcategories: 

Classification  Management:  The  system  of  administrative  policies  and  procedures  for 
identifying,  controlling,  and  protecting  classified  information  from  unauthorized 
disclosure,  the  protection  of  which  is  authorized  by  Executive  order  or  statute. 
Classification  management  encompasses  those  resources  used  to  identify,  control, 
transfer,  transmit,  retrieve,  inventory,  archive,  or  destroy  classified  information. 

Declassification:  The  authorized  change  in  the  status  of  information  from  classified 
information  to  unclassified  information.  It  encompasses  those  resources  used  to  identify 
and  process  information  subject  to  the  automatic,  systematic,  and  mandatory  review 
programs  established  by  E.O.  12958,  as  amended,  as  well  as  declassification  activities 
required  by  statute. 

Information  Systems  Security  for  Classified  Information:  An  information  system  is  a set 
of  information  resources  organized  for  the  collection,  storage,  processing,  maintenance, 
use,  sharing,  dissemination,  disposition,  display,  or  transmission  of  information.  Security 
of  these  systems  involves  the  protection  of  information  systems  against  unauthorized 
access  to  or  modification  of  information,  whether  in  storage,  processing,  or  transit,  and 
against  the  denial  of  service  to  authorized  users,  including  those  measures  necessary  to 
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detect,  document,  and  counter  such  threats.  It  can  include,  but  is  not  limited  to,  the 
provision  of  all  security  features  needed  to  provide  an  accredited  system  of  computer 
hardware  and  software  for  protection  of  classified  information,  material,  or  processes  in 
automated  systems. 

Miscellaneous:  Includes  two  subcategories.- 

Operations  Security  (OPSEC):  Systematic  and  proven  process  by  which  potential 
adversaries  can  be  denied  information  about  capabilities  and  intentions  by 
identifying,  controlling,  and  protecting  generally  unclassified  evidence  of  the 
planning  and  execution  of  sensitive  activities.  The  process  involves  five  steps: 
identification  of  critical  information,  analysis  of  threats,  analysis  of 
vulnerabilities,  assessment  of  risks,  and  application  of  appropriate 
countermeasures. 

Technical  Surveillance  Countermeasures  (TSCM):  Personnel  and  operating 
expenses  associated  with  the  development,  training  and  application  of  technical 
security  countermeasures  such  as  non-destructive  and  destructive  searches, 
electromagnetic  energy  searches,  and  telephone  system  searches. 

Professional  Education,  Training  and  Awareness:  The  establishment,  maintenance,  direction, 
support,  and  assessment  of  a security  training  and  awareness  program;  the  certification  and 
approval  of  the  training  program;  the  development,  management,  and  maintenance  of  training 
records;  the  training  of  personnel  to  perform  tasks  associated  with  their  duties;  and  qualification 
and/or  certification  of  personnel  before  assignment  of  security  responsibilities  related  to 
classified  information. 

Security  Management  and  Planning:  Development  and  implementation  of  plans,  procedures, 
and  actions  to  accomplish  policy  requirements,  develop  budget  and  resource  requirements, 
oversee  organizational  activities,  and  respond  to  management  requests  related  to  classified 
information. 

Unique  Items:  Those  department-  or  agency-specific  activities  that  are  not  reported  in  any  of  the 
primary  categories  but  are  nonetheless  significant  and  need  to  be  included. 

SURVEY  RESULTS  AND  INTERPRETATION 

The  total  security  classification  cost  estimate  within  Government  for  Fiscal  Year  (FY)  2008  is 
$8.64  billion.  This  figure  represents  estimates  provided  by  41  executive  branch  agencies, 
including  the  Department  of  Defense  (DoD).  It  does  not  include  the  cost  estimates  of  the  Central 
Intelligence  Agency,  the  Defense  Intelligence  Agency,  the  Office  of  the  Director  of  National 
Intelligence,  the  National  Geospatial-Intelligence  Agency,  the  National  Reconnaissance  Office, 
and  the  National  Security  Agency,  which  those  agencies  have  classified  in  accordance  with 
Intelligence  Community  classification  guidance.  However,  those  costs  are  reported  to  ISOO  and 
are  included  in  a classified  addendum  to  this  report. 
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Government  Security  Classification  Costs  Estimate 
FY  2008 


$129  Billion 


$1.19  Billion 


$1.10  Billion 


$8.8  Million 


Miscellaneous 
(OPSEC  & TSCM) 

Qassification 
Management  * 

334  Million 

Dedassification 
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(1%) 
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Billions 


The  total  security  classification  costs  for  Executive  branch  agencies  decreased  by  $13  million  in 
FY  2008.  In  addition  to  reporting  estimated  costs  for  six  security  classification  categories,  some 
agencies  also  provided  explanations  for  significant  decreases  or  increases  in  costs. 

Information  Security  continues  to  be  the  most  costly  category  reported  by  agencies,  representing 
56  percent  of  total  security  classification  costs  for  FY  2008.  Of  the  four  subcategories  of 
Information  Security,  Information  Systems  Security  continues  to  be  the  most  costly,  at  $4.3 
billion,  or  90  percent  of  estimated  costs  for  Information  Security. 

For  FY  2008,  Executive  branch  agencies  reported  a $78  million  decrease  in  costs  associated  with 
Physical  Security.  This  5.7  percent  decrease  was  primarily  attributed  to  the  completion  of 
physical  projects,  including  Sensitive  Compartmented  Information  Facilities,  emergency 
operational  control  centers.  Continuity  of  Operations  sites,  and  enhanced  physical  security 
features  to  existing  facilities. 

Agencies  reported  a $134  million  decrease  in  Security  Management  and  Planning  costs  for  FY 
2008.  This  10.1  percent  decrease  was  primarily  a result  of  a $137  million  decrease  in  the  cost 
estimate  reported  by  DoD. 
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For  FY  2008,  agencies  reported  a slight  decrease  of  $629,000  in  estimated  costs  associated  with 
Personnel  Security.  While  several  agencies  reported  an  increase  in  costs  associated  with  security 
clearances,  several  agencies  reported  decreases  in  these  costs. 

Executive  branch  agencies  reported  a 15.4  percent  increase  in  costs  for  Professional  Education, 
Training  and  Awareness  for  FY  2008.  This  $32.5  million  increase  was  primarily  attributed  to 
the  development  of  aggressive  training  programs,  including  computer-based  training,  for  many 
agencies. 

Although  costs  associated  with  Unique  Items  increased  by  $888,000  (11  percent),  this  category 
continues  to  be  the  smallest  at  $8.8  million,  or  less  than  one  percent  of  the  total. 


Government  Security  Classification  Costs 


Fiscal  Year 


All  five  categories  of  Government  Security  Classification  costs  represented  in  the  above  graph 
increased  from  FY  1995  (see  below  for  Information  Security  costs).  Physical  Security  costs 
increased  $1.1  billion  from  FY  1995,  more  than  any  other  category.  Security  Management  and 
Planning  costs  increased  $939  million  since  FY  1995,  representing  the  second  largest  increase  in 
costs.  Personnel  Security  increased  $464  million  from  FY  1995,  the  third  largest  increase  in 
costs.  In  FY  1995,  agencies  spent  more  on  Personnel  Security  ($633  million)  than  Security 
Management  and  Planning  ($257  million)  and  Physical  Security  ($175  million).  In  FY  2008, 
Physical  Security  was  more  costly  for  agencies  ($  1 .289  billion)  than  Security  Management  and 
Planning  ($1,196  billion)  and  Personnel  Security  ($1,097  billion).  Professional  Education, 
Training  and  Awareness  costs  increased  $176  million  from  FY  1995,  representing  an  increase  of 
263  percent.  Costs  associated  with  Unique  Items  have  increased  $2.4  million  from  FY  1995,  or 
38  percent. 
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From  FY  1995  through  FY  2008,  Information  Systems  Security  has  been  the  most  costly 
subcategory  of  Information  Security.  Information  Systems  Security  costs  increased  by  $3. 1 
billion  since  FY  1995,  or  258  percent.  From  FY  2001  through  FY  2004,  the  average  annual 
increase  was  $500  million,  whereas  from  FY  2005  through  FY  2008,  the  average  annual  increase 
was  $250  million. 


The  three  smaller  subcategories  of  Information  Security  are  Classification  Management, 
Miscellaneous  (OPSEC  and  TSCM),  and  Declassification.  From  FY  1995  through  FY  2008, 
Classification  Management  was  the  most  costly  subcategory,  with  the  exception  of  three  years 
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when  costs  for  Declassification  were  higher.  In  FY  1999,  FY  2000,  and  FY  2001,  agencies  spent 
an  average  of  $14  million  more  on  Declassification  than  on  Classification  Management.  As 
represented  on  the  graph  above.  Classification  costs  fi’om  FY  1995  through  FY  1997  also  include 
Declassification  costs,  which  were  not  separated  into  its  own  subcategory  until  FY  1998.  From 
FY  1998  through  FY  2008,  Declassification  costs  decreased  by  $157  million.  This  fiscal  year, 
spending  on  Declassification  decreased  by  4.2  percent  and  constituted  only  0.5  percent  of  total 
security  classification  costs  for  FY  2008. 

In  FY  2003,  agencies  began  reporting  OPSEC  and  TSCM  costs  in  the  Miscellaneous  subcategory 
within  Information  Security.  Prior  to  that,  these  costs  had  not  been  reported  at  all.  From  FY 
2003  through  FY  2008,  agencies  have  reported  an  increase  of  $75  million  in  these  costs.  Only  a 
small  number  of  agencies  are  reporting  significant  costs  in  this  subcategory.  This  year,  four 
agencies  (DoD,  Department  of  State,  Department  of  Energy,  and  Department  of  Justice) 
accounted  for  82  percent  of  the  total  in  this  subcategory. 


Total  Costs  for  Government  and  Industry 
FY1995-  FY2008 


To  fulfill  the  cost  reporting  requirements  of  E.O.  12829,  as  amended,  a joint  DoD  and  industry 
group  developed  a cost  collection  methodology  for  those  costs  associated  with  the  use  and 
protection  of  classified  information  within  industry.  For  FY  2008,  the  Defense  Security  Service 
collected  industry  cost  data  and  provided  the  estimate  to  ISOO. 

Cost  estimate  data  are  not  provided  by  category  because  industry  accounts  for  its  costs 
differently  than  Government.  Rather,  a sampling  method  was  applied  that  included  volunteer 
companies  from  four  different  categories  of  facilities.  The  category  of  facility  is  based  on  the 
complexity  of  security  requirements  that  a particular  company  must  meet  in  order  to  hold  and 
perform  under  a classified  contract  with  a Government  agency. 

The  FY  2008  cost  estimate  totals  for  industry  pertain  to  the  twelve-month  accounting  period  for 
the  most  recently  completed  fiscal  year  of  the  companies  that  were  part  of  the  industry  sample. 
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For  most  of  the  590  companies  included  in  the  sample,  December  31, 2008,  was  the  end  of  their 
fiscal  year.  The  estimate  of  total  security  classification  costs  for  FY  2008  within  industry  is 
$1.21  billion,  a decrease  of  $50  million  from  $1.26  billion  for  FY  2007. 

CONCLUSION 

This  year’s  estimate  for  Government  and  industry  shows  a decrease  of  $63  million.  From  FY 
1 995  through  FY  2008,  there  was  an  increase  of  $4.25  billion  in  total  costs.  The  decrease  for  FY 
2008  suggests  a continuing  stabilization  in  security  requirements  and  programs  generated  by  the 
homeland  defense  concerns  in  the  post-2001  environment.  The  average  annual  increase  from  FY 
2002  through  FY  2005  was  $927.5  million  compared  to  an  average  annual  increase  of  only 
$220.2  million  from  FY  2006  through  FY  2008. 
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